Privacy Notice – Personnel

General

This document describes the processing of personal data in Abloy Oy’s human resources administration. This privacy notice provides the data subject and the supervisory authority with the information required by the European Union’s General Data Protection Regulation (GDPR 679/2016).

Controller and contact details

Name: Abloy Oy
Postal address: Wahlforssinkatu 20, 80100 Joensuu, Finland.
Telephone (exchange): +358 20 599 2501
Business ID: 0774324-5
Email address: privacy@abloy.com

This email address is to be used only for addressing matters related to data protection. For all other matters, the correct contact information can be found from www.abloy.com.

Whose data is processed?

The data subjects are individuals who are or have been in an employment or managerial relationship with Abloy Oy and, with limited information, temporary agency workers and consultants.

What is the purpose and legal basis for processing personal data?

The processing of personal data is necessary in order to fulfil the data controller’s statutory obligations, to implement an employment or management contract to which the data subject is party, and to fulfil the legitimate interests of the data controller. The processing of personal data of temporary agency workers and consultants is necessary based on the legitimate interests of the data controller in order to fulfil the service agreement.

The data controller ensures that processing based on legitimate interests is correctly proportional to the interests of data subjects and is in line with their reasonable expectations.

Personal data is used to maintain information about data subject’s employment relationship with Abloy Oy, exercise the employer’s supervisory and direction rights, process and pay compensation for travel and other expenses, forward calls and contact, maintain records of working hours, provide occupational healthcare services, manage skills, training and employee benefits, pay salaries, maintain contact with the authorities, compile statistics, process requests for certificates and salary information, manage equipments and define information about the access rights to data systems required by employees.

Personal data groups of the data subject

Purpose of processing a data group

Basis of data processing

Basic personal data

Identification of individuals, granting user and access rights, mailing (e.g. salary certificates), contact (e.g. in emergencies), and statistics

Contractual and statutory obligations

Work contact information

Carrying out work-related tasks via email and/or by telephone

Contract

Employment information

Basic employment information for payroll accounting, paying compensation for travel and general expenses and maintaining records of working hours. Background information for calculating pensions, collecting employee association fees and compiling statistics

Contractual and statutory obligations

Investigations carried out at the beginning of employment (internal recruitment)

Study certificates and other important documents considering the position are verified.

The occupational healthcare service provider assesses the applicant’s state of health.

Credit information is checked in positions where the applicant is required to show special trust and direct financial responsibility.

A concise security clearance or a security officer identity card must be applied for in positions, for which background information needs to be checked. 

In addition, an aptitude test can be conducted.

Legitimate interest of the data controller. 

The information is necessary in order to succeed in the recruitment process and to assess the applicant’s suitability.

 

The processing of credit information during the recruitment process is based on the applicant’s consent.

Introduction information

Verifying introduction regarding the employee’s work and working conditions, the correct use of tools and safe working methods

Verifying introduction regarding the employee’s work and working conditions, the correct use of equipments and safe working methods 

Information about equipments and access rights

Management of equipments and access rights

Legitimate interest of the data controller. By recording information about equipments and access rights, it is ensured that personnel has adequate equipments and access rights with respect to their working tasks. Additionally, the access rights’ traceability is ensured.

Salary information and payroll accounting results

Payroll accounting, taxation, pensions, statistics and other official purposes

Contractual and statutory obligations

Information about absences and holidays

Management and monitoring of absences and holidays

Contractual and statutory obligations

Working hours registrations

Working hours monitoring and hourly registrations for payroll accounting

Contractual and statutory obligations

Information about substitute arrangements

Defining the right to substitutes and carrying out tasks during substitute arrangements

Legitimate interest of the data controller

Discussions of the ability to work

Assessing the ability to work after an extended absence

Legitimate interest of the data controller and statutory obligation. With discussions of the ability to work, it is ensured whether something can be done at the workplace in order to prevent falling sick. 

Performance appraisals

Defining task-specific goals and preparing a competence development plan

Legitimate interest of the data controller. An individual’s work and know-how can be improved based on performance appraisals.

Job descriptions

Describing the content of tasks and defining the difficulty of tasks in accordance with the collective agreement

Legitimate interest of the data controller. The job requirements, as provided in the collective bargaining agreements, affect the salaries directly and are defined in the job descriptions. 

Culture and exercise benefits

Granting and managing employee benefits

Agreement and the legitimate interest of the data controller.

Personal data is required in order to grant the benefits to the right persons.

Work- and training-related travel and expense reports

Monitoring working hours during travel and paying travel expense compensation, daily allowances and other expense compensation

Legitimate interest of the data controller and statutory obligation. In order to ensure the validity of the payment of travel time pay, daily allowance and reimbursement of expenses.

Skills

Securing the skills required in business activities and tasks

Legitimate interest of the data controller. Maintaining information related to skills is required in order to ensure adequate know-how in different working tasks and substitution.

Contact information of the next of kin

Establishing contact in the case of an accident or illness

Protecting the vital interests of data subjects

 

The data controller does not carry out any automated decision making.

What personal data is processed?


Abloy job applicants and employees


Personal data group

Data content

Basic personal data

First names, calling name, last name, telephone number (work/home), address, email address (work)

Personal identity code, date of birth, ID number (work), gender, native language, nationality.

Contact details of a next of kin provided by the person

Date of joining the company

Work contact information

Tasks, work mobile number, extension, substitute arrangements and photo

 

Employment information

Bank account, tax card, pension insurance, employee association fee information, basic employment data, fringe benefits, statistical groups, posting data, location and supervisor

Investigations carried out at the beginning of employment

References, state of health, aptitude test, credit information, security clearance and verification of identity

Introduction training information

Introduction completed and approved

Information about equipments and access rights

Information about given and returned equipments, access rights and their approval

Salary information and payroll accounting results

Euro-denominated hourly and/or monthly salary used as the basis of salary payments

Suggestion and invention compensation paid, travel time, alarm and on-call duty compensation, non-recurring items and euro-denominated values of fringe benefits

Realised hours and amounts in payroll accounting (salary transactions, gross and net salary, deductions and manual corrections)

Information about absences and holidays

Sick leave, parental leave, study leave, alternation leave and other absences affecting payroll accounting, accumulated holidays and holiday periods

Discussions of the ability to work

Discussion date, estimate of factors leading to absence from work, opportunities to prevent such factors and approval

Working hours registrations

Background settings for working hours registrations, registered working hours and resulting working hours

Information about substitute arrangements

Substitutes during holidays and absences

Educational and work history

Education, studies, previous work experience and certificates

Performance appraisals

Content and date of performance appraisals, goals and competence development plan

Job descriptions

Most recent revision, position and its content

Culture and exercise benefits

Granted benefits, validity date and information about specific benefits

Skills

Skills in tasks, goals and information about starting to learn a new skill

Telephone directory of the ASSA ABLOY Group

First and last names, title, company, location of company, address of company, work telephone number, Skype address, department, skills, email, language and photo.

Temporary agency workers and consultants

 

Personal data group Data content
Basic personal data First names, calling name, last name, date of joining the company 
Work contact information

Tasks, work phone number, work email address

Information about equipments and access rights Information about given and returned equipments, access rights and their approval
Information about absences and holidays Sick leave, parental leave, study leave, alternation leave and other absences affecting payroll accounting, accumulated holidays and holiday periods
Working hours registrations
Background settings for working hours registrations, registered working hours and resulting working hours 
Telephone directory of the ASSA ABLOY Group Title, company, location of company, address of company, work telephone number, Skype address, department, email, language 

How is personal data collected?

The data stored on data subjects is data provided by the data subjects themselves. Those data subjects who have access rights to the personal data register system can maintain their own basic personal data. The basic personal data of temporary agency workers and consultants are received from respective employers.

In addition, data is maintained and updated using data produced by the authorities, partners and the data controller during the employment relationships of data subjects. When data is collected from sources other than data subjects, the consent of each data subject must be requested for the collection of data in accordance with the Act on the Protection of Privacy in Working Life (759/2004).

However, no consent is needed when an authority transfers data to Abloy in order to carry out a task defined in the legislation or when the employer obtains credit information or information from criminal records in order to identify the reliability of an individual. If Abloy identifies the reliability of an individual, it will notify data subjects of this beforehand.

If data is collected from sources other than data subjects, Abloy will notify data subjects of the data obtained before it uses it to make decisions on employees.

Who will the data be transferred to?


Abloy employees

 

Recipient

Purpose of the disclosure

Tax administration

Paying taxes

Social Insurance Institution (Kela)

Paying compensation for sick, family and other leave

Employee associations

Paying employee association membership fees

Execution authorities

Paying execution costs

Insurance broker

Processing the company’s insurance data

Insurance companies

Calculating employee pensions and processing compensation to be paid for accidents

Unemployment office services

Alternation leave notifications

Occupational healthcare

Maintaining health records

Security services

Maintaining facility security

Online salary calculation operator

Electronic payslips for employees

Telecom operator

Mobile services, exchange services and internet subscriptions

Travel agency

Booking and invoicing work travel

Exercise and culture benefit provider

Management of employee benefits

Printing shop

Address information for the personnel magazine

Training service provider

Personnel training

Patent office

Processing invention reports

ASSA ABLOY Group

Salary information about managerial relationships and specifications to personnel reporting

Telephone directory of the ASSA ABLOY Group

Contact within the Group

Service providers

Maintenance and support tasks for data systems

Central statistical office of Finland

Statistics

Conferedation of Finnish Industries

Statistics

Temporary agency workers and consultants

 

Recipient Purpose of the disclosure
ASSA ABLOY konsernin puhelinluettelo
Konsernin sisäinen työhteydenpito

Is personal data processed outside the European Union?

Abloy Oy transfers and discloses personal data to the ASSA ABLOY Group outside EU / EEA area for Group control purposes and for the organization of the Group’s operations.

The service provider of the employees’ travel booking and travel expense services may give access to personal data of the services to its support organizations located in India, the U.S.A. and Australia.

When transferring data outside the EU or EEA, we use standard contractual clauses approved by the EU Commission in order to protect the data properly. For further information, please visit EU Commission’s web site.

What are the storage periods for personal data?

The data collected in the register will be kept for as long as necessary, and to the extent necessary, for fulfilment of the original or compatible purposes for which the personal data was collected.

 

Personal data groups

Storage time

Basic personal data

10 years after the end of employment

Work contact information

3 months after the end of employment

Employment information

10 years after the end of employment

Investigations carried out at the beginning of employment

5 years after the end of employment

Introduction information

3 years after the end of employment

Information about tools and access rights

3 months after the end of employment

Salary information and/or history

(euro-denominated values on which salary payments are based)

6 years from the end of the year during which salary was paid

Payroll accounting

10 years after the end of the financial period

Pay sheets

50 years after the end of the financial period

Statement of accounts listings for memberships

10 years after the end of the financial period

Information about absences

10 years after the end of employment

Discussions of the ability to work

2 years after the discussion

Working hours registrations

5 years after the expiry of salary receivables

Holidays

6 years from the end of the year during which salary was paid

Information about substitute arrangements

3 months after the end of employment

Educational and work history

10 years after the end of employment

Performance appraisals

3 months after the end of employment

Job descriptions

3 months after the end of employment

Culture and exercise benefits

3 months after the end of employment

Working hours records

10 years after the end of the financial period

Work- and training-related travel and expense reports

10 years after the end of the financial period

Skills

1 year after the end of employment

Results of occupational health and safety elections

10 years after the end of employment

 

The aforementioned storage periods can be deviated from if it is necessary in order to investigate any misuse or to fulfil the data controller’s lawful claim.

What are data subject’s rights?

Right of Access 

The data subject is entitled to obtain confirmation from the controller as to whether the personal data of the data subject is being or has been processed. 

If the data controller processes the personal data of the data subject, the latter is entitled to the information of this document, as well as to a copy of the personal data that is being or has been processed.

If a data subject makes a request electronically and has not requested any other form of delivery, the data will be provided in a generally available electronic format that is compatible with secure delivery of the data.

 

Right to Correct or Erase Data

Data subjects have the right to request the controller to correct or erase their personal data.

Under certain circumstances, data subjects have the right to request processing of their personal data to be restricted, or to otherwise object to the processing of data. In addition, data subjects may request the transfer of data submitted by the data subjects themselves in a machine-readable form based on the General Data Protection Regulation.

Consent withdrawal

If the processing of personal data is based on the data subject’s consent, the data subject has the right to withdraw their consent at any time. 

The right to object to the processing

The data subject has the right to object, on grounds relating to his or her particular situation, at any time to processing of personal data when the processing is based on the legitimate interest of the controller or a third party.

How can data subjects exercise their rights?

In all matters involving the processing of personal data, data subjects have the right to contact the controller.

All requests mentioned in the present document must be submitted to the above mentioned contact point of the controller.

Data subjects also have the right to file a complaint with the supervisory authority if their personal data is or has been processed unlawfully.

How is personal information protected?

Abloy Oy processes personal data safely and in compliance with the applicable legislation. Protection of personal data by Abloy Oy is adequate both technically and organisationally. 

The data is stored in locked premises that are accessible only to authorised persons. Personal data stored in the systems is accessible only to pre-designated persons who need the information for work-related tasks. IT environments are protected by adequate firewalls and other forms of technical protection.

With regard to the processing of personal data, Abloy Oy’s employees and other persons must abide by their obligation of secrecy and must handle personal data confidentially.

Updating Privacy Notice


We will update and change this privacy notice when necessary. We will notify you of such changes at Abloy’s www-site https://www.abloy.com/en/site-functions/privacy-centre/privacy-notices/.

18th December 2019.

This privacy notice has been made:  8th October 2019.